5 Replies Latest reply on Oct 29, 2012 5:25 AM by 12Robots

    CF9 Encrypt with AES 256-bit, example anyone?

    Pawel (Paul) Barnas

      Hi there. I'm looking for a working example of  the Encrypt method using the AES 256 bit key.  I think that I have the Unlimited Strength Jurisdiction Policy Files enabled.  And I'm still getting the CFError,

      The key specified is not a valid key for this encryption: Illegal key size. 

       

      Now i hit the wall, can't get it.  What wrong am i doing?  How can I verify that the policy files are installed and accessible to my cf file?  Any help is greatly appreciated.

       

       

      <cfset thePlainText  = "Is this working for me?" />

       

      Generate Secret Key (128):  <cfset AES128 = "#generatesecretkey('AES',128)#" /> <cfdump var="#AES128#"><BR>
      Generate Secret Key (192):  <cfset AES192 = "#generatesecretkey('AES',192)#" /> <cfdump var="#AES192#"><BR>
      Generate Secret Key (256):  <cfset AES256 = "#generatesecretkey('AES',256)#" /> <cfdump var="#AES256#"><BR><BR>

       

      <cfset theKey    = AES256 />
      <cfset theAlgorithm  = "AES/CBC/PKCS5Padding" />
      <cfset theEncoding  = "base64" />
      <cfset theIV    = BinaryDecode("6d795465737449566f7253616c7431323538704c6173745f", "hex") />

      <cfset encryptedString = encrypt(thePlainText, theKey, theAlgorithm, theEncoding, theIV) />

      <!--- Display results --->
      <cfset keyLengthInBits  = arrayLen(BinaryDecode(theKey, "base64")) * 8 />
      <cfset ivLengthInBits  = arrayLen(theIV) * 8 />
      <cfdump var="#variables#" label="AES/CBC/PKCS5Padding Results" />


      <cfabort>

        • 1. Re: CF9 Encrypt with AES 256-bit, example anyone?
          12Robots Level 4

          You probably do not have the unlimited jurisdiction policy files in the right place.

           

          It is very common for admins to think that the new policy files go in the usual <cfusion>/lib directory. But they actual go in the <cfusion>/jre/security/lib directory (unless you're on a Mac, then they go in JAVA_HOME/security/lib).

           

          You also need to restart once you get the policy files in place.

           

          I tested your script on my local machine, which does have the unlimited strength policy and it worked fine.

           

          Jason

          • 2. Re: CF9 Encrypt with AES 256-bit, example anyone?
            12Robots Level 4

            Oh, and your IV is too long. Shorten it by 16 charatcers. It should only be 128-bit, not 192-bit.

             

            Jason

            • 3. Re: CF9 Encrypt with AES 256-bit, example anyone?
              Pawel (Paul) Barnas Level 1

              Thanks Jason. I was hoping that you would see this and reply to me.  I saw many of your posts and your expertise as well as willingness to help others is greatly appreciated. I will apply your suggestions and post my results later. Thanks, Paul B.

               

              UPDATE:

               

              Jason,  it works fantastic.  My files where in ther correct directory... I somehow didn't connect that the IV length is 192. And I red your post that explains the IV length ( http://forums.adobe.com/message/4545840#4545840 ) . Thank you Jason.

               

              Paul

              • 4. Re: CF9 Encrypt with AES 256-bit, example anyone?
                Pawel (Paul) Barnas Level 1

                Jason, one more quick question.  I have installed CF10 developers version server.  The v10 structure is a bit different from v9.  For example the Policy 6 files for the AES 256 encryption are found in \\ColdFusion10\jre\lib\security.  So, when I run my code i keep getting the

                The key specified is not a valid key for this encryption: Illegal key size.

                 

                What would be the solution here?  How come the version 10 of the server has it differently than version 9?  Any "enlightment" is greatly appreciated.

                 

                Paul

                • 5. Re: CF9 Encrypt with AES 256-bit, example anyone?
                  12Robots Level 4

                  Verison 10 is different from 9 because they run on different servlet containers. CF 10 uses Tomcat, CF 9 uses JRun, so things are in different places.

                   

                  \\ColdFusion10\jre\lib\security seems like the correct locaiton for the policy files to me. I actually gave you the wrong locations in my original post (sorry about that).  According to the installation instructions they belong in <java-home>\lib\security, which is looks like you've found.

                   

                  So something else is wrong. Here are some things to look at, in no particular order:

                   

                  1. Are you using a JVM other than the Java 1.6 that comes with CF10?

                  2. Did you restart Tomcat after coping the files in?

                  3. Note that I keep saying FILES, did you copy BOTH of th .jar files from the JCE folder you unzipped into the security directory.  It should have prompted you to overwrite existing files.

                  4. Did you try unzipping the files and copying them in again, on the chance that they did not overwrite the originals?

                   

                  Sorry, I don't have CF10 installed to give this a try. But I have no reason to believe that it would not work in 10. It's all just JCA/JCE on the underlying JAVA, and I have heard no reports from anyone else that it doesn't work.

                   

                  Jason